On 18/04/2006 00:12, Ian Hickson wrote:
> Access check: If there are response headers with the name
> "Content-Access-Control", then they must have their values parsed
> as the data part of an <?access-control?> PI.
My concern with this security model is that it doesn't prevent malicious
scripts injected into a site from calling back to a host. For example I
can set up a server to allow requests from all then contrive to inject a
script via a broken forum that sends account details back to my server.
The current cross-domain scripting rules prevent this.
I propose a simpler solution that allows hosts to declare their
membership of cross-site scripting domains so that any host serving up
scripts can restrict the scope of that script's actions.
When serving the script the originating host should issue a
Scripting-Domain response header consisting of a comma-delimited list
of tokens. Before issuing any request to a third-party host the send()
method must first issue a HEAD request to the given URI. If the
third-party host includes a Scripting-Domain response header and any of
the tokens in this header match any of the tokens in the originating
host's Scripting-Domain header then the send() method should proceed
with the request, otherwise it must act as if there had been a
network-level failure.
The XHR object must not send the originating host's tokens to any other
host. The tokens can be generated based on any suitable algorithm, it's
up to the originating host to coordinate with third-party hosts for
token meaning.
Ian